Skip to main content

5 Steps to Navigating Third-Party Vendor Relationships

Risk Assessment
Internal Audit
Magnifying glass looking for risk.
4 min read
Ernest Anunciacion
Senior Director of Product Marketing
Published: August 13, 2020
Last Updated: April 25, 2023

Every week, there seems to be yet another data breach occupying news headlines. With thousands of companies and millions of employees amassing and exchanging data, there is always room for risk—and there is something to learn from each breach story. 

Recently, on an episode of Off the Books podcast, I discussed a particularly oddball data security snafu suffered by video game behemoth Nintendo. A security breach of a former third-party vendor led to the leak of valuable intellectual property. (Although that episode was recorded a few weeks back, another more recent Nintendo data leak could point toward the same lessons.)

We got into curating successful relationships with outside vendors, finding the right vendors for your organization, operations maintenance, terminating obligations—we covered it all.

Check out the five main steps I outlined in the podcast, and learn how to keep your data safe.

Before even finding a vendor, you need to know exactly what tasks you want to outsource. Sounds obvious, but having exact wants and requirements will ensure that your research is timely and accurate.

With that shortlist of potential vendors in hand, research them, research them, and then research them again. You don’t want any of your valuable data in the wrong hands.

I suggest combing through any available financial records to ensure if a company is financially stable. Plus, you can uncover any past issues they may have faced concerning security, past partnerships, stakeholders, or anything else you may find.

Now that you've found one, what are you doing to review that third party and ensure their qualifications? What risks are being raised by a partnership with this vendor?

This can be done through audit and assessment—either a self-assessment or through an external auditor. For example, a Service and Organization Controls report, also known as a SOC 2. These assessments are performed by an outside party to evaluate the effectiveness of controls an organization has in place about security, availability, confidentiality, and process integrity.

SOC 2 reports are assessed annually, so you can have continuous monitoring and validation throughout your relationship with a third party.

Another useful exercise in this scenario is the use of a risk assessment matrix. This tool can help your organization identify and prioritize different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen.

Planning, Managing and Addressing Internal Audit Risks

Figure out who is going to do what, and make sure parties involved will be able to execute it.

A few provisions you may need to consider include the following:

  • Control how much and the nature of the data a third party uses and has access to
  • Limit your company’s liability
  • How to mitigate disputes about performance
  • Declare your right to audit 

Our experts suggest always including a Right to Audit clause. Such a provision can give you the right to look into your vendor’s financials, audit operations, and IT security.

In many contracts, such a provision is an expected condition. But, many companies never execute it. Especially when working with high risk vendors, don’t be afraid to use the Right to Audit clause.

Once a contract is in place, continuous monitoring of risk and performance is critical to maintaining a healthy third-party relationship.

As issues are identified, they need to be mitigated and escalated to the appropriate decision-makers within the organizations. This is where any provisions included in the contract may be implemented.

Termination sounds bad, but it’s not always a negative experience. Contracts end, and if they don’t, they change and are renegotiated over time. As these changes occur, there are risks.

Data needs to be returned to its appropriate owner and access terminated when the contract itself terminates. Not doing so can leave data in the hands of a third party and lead to a chance for data security breaches, such as what happened to Nintendo and their past vendor.

Check out the full podcast episode here to hear my full thoughts on this matter (and my full thoughts on Mario—much more important, honestly).

Nintendo is a registered trademark of Nintendo of America Inc.



About the Author
Ernest Anunciacion
Ernest Anunciacion

Senior Director of Product Marketing

Ernest Anunciacion, Senior Director of Product Marketing, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at